- ESET Research discovers PromptLock, a new type of ransomware using GenAI to execute attacks.
- The malware runs a locally accessible AI language model to generate malicious Lua scripts in real time, which are compatible across Windows, Linux, and macOS.
- PromptLock uses a freely available language model accessed via an API, meaning the generated malicious scripts are served directly to the infected device.
- Based on predefined text prompts, PromptLock autonomously determines whether to exfiltrate or encrypt data.
- While ESET considers PromptLock a proof of concept, the threat it represents is very real.
BRATISLAVA — August 27, 2025 — ESET researchers have uncovered a new type of ransomware that leverages generative artificial intelligence (GenAI) to execute attacks. Named PromptLock, the malware runs a locally accessible AI language model to generate malicious scripts in real time. During infection, the AI autonomously decides which files to search, copy, or encrypt — marking a potential turning point in how cybercriminals operate.
“The emergence of tools like PromptLock highlights a significant shift in the cyber threat landscape,” said Anton Cherepanov, senior malware researcher at ESET, who analyzed the malware alongside fellow researcher Peter Strýček.
PromptLock creates Lua scripts that are compatible across platforms, including Windows, Linux, and macOS. It scans local files, analyzes their content, and — based on predefined text prompts — determines whether to exfiltrate or encrypt the data. A destructive function is already embedded in the code, though it remains inactive for now.
The ransomware uses the SPECK 128-bit encryption algorithm and is written in Golang. Early variants have already surfaced on the malware analysis platform VirusTotal. While ESET considers PromptLock a proof of concept, the threat it represents is very real.
“With the help of AI, launching sophisticated attacks has become dramatically easier — eliminating the need for teams of skilled developers,” added Cherepanov. “A well-configured AI model is now enough to create complex, self-adapting malware. If properly implemented, such threats could severely complicate detection and make the work of cybersecurity defenders considerably more challenging.”
PromptLock uses a freely available language model accessed via an API, meaning the generated malicious scripts are served directly to the infected device. Notably, the prompt includes a Bitcoin address reportedly linked to Bitcoin creator Satoshi Nakamoto.
ESET has published technical details to raise awareness within the cybersecurity community. The malware has been classified as Filecoder.PromptLock.A.
Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
